Attackers Are Exploiting Cisco SD-WAN Manager and LiteSpeed cPanel Plugin
Attackers are exploiting Cisco Catalyst SD-WAN Manager (CVE-2026-20262) and the LiteSpeed cPanel plugin (CVE-2026-54420), both added to CISA KEV on June 15, 2026. Patch now.
If you run Cisco Catalyst SD-WAN Manager or the LiteSpeed cPanel plugin, attackers are already exploiting both. CVE-2026-20262 lets an authenticated user write files anywhere on a Cisco SD-WAN Manager appliance (formerly vManage), a foothold that can be turned into elevated privileges. CVE-2026-54420 lets a single shared-hosting tenant escalate to root through the LiteSpeed cPanel plugin. CISA added both to its Known Exploited Vulnerabilities catalog on June 15, 2026, both vendors confirm the attacks are real, and both flaws now carry a federal patch deadline.
The two scores tell you why KEV, not CVSS, is the trigger here. Cisco’s flaw is rated CVSS 6.5 (Medium) and the LiteSpeed flaw 8.5 (High), yet both are being used in real attacks right now. The number that should move your queue is the one that says “exploited,” not the severity band.
Am I affected?
Cisco Catalyst SD-WAN Manager (CVE-2026-20262). Per Cisco’s advisory, these release trains are affected:
- 20.9.9.1 and earlier
- 20.12.7.1 and earlier
- 20.15.4.4 and earlier
- 20.15.5.2 and earlier
- 20.18.3
- 26.1.1.1 and earlier
The flaw (CWE-22) lets a remote attacker who already holds valid credentials with at least write access create or overwrite any file on the appliance filesystem. That arbitrary file-write primitive is what makes a Medium-scored, authenticated bug worth a same-day response: it can be chained toward elevated privileges. Cisco lists no workarounds.
LiteSpeed cPanel plugin (CVE-2026-54420). Per LiteSpeed, the affected versions are the cPanel user-end plugin before 2.4.8 and the WHM plugin before 5.3.2.1. The flaw (CWE-61, symlink following) applies to shared hosting servers running CloudLinux/CageFS. The exploit path requires a user who already has FTP or web shell access on the box, and from there it escalates to root. If you run multi-tenant shared hosting on that stack, treat every tenant as a potential starting point.
What to do now
Cisco: patch, because there is no workaround. Upgrade to the fixed release on your train:
| Affected train | Fixed release |
|---|---|
| 20.9.x | 20.9.9.2 |
| 20.12.x | 20.12.7.2 |
| 20.15.4.x | 20.15.4.5 |
| 20.15.5.x | 20.15.5.3 |
| 20.18.x | 20.18.3.1 |
| 26.1.x | 26.1.1.2 |
The CISA remediation due date is June 29, 2026. Because exploitation needs valid write-access credentials, also review who holds those accounts and rotate any that could be exposed, but patching is the only durable fix.
LiteSpeed: update the plugin, or pull it. The fixed versions are cPanel plugin 2.4.8 and WHM plugin 5.3.2.1. LiteSpeed ships the update through its standard installer:
wget -O- https://litespeedtech.com/packages/cpanel/lsws_whm_plugin_install.sh | shIf you cannot update within hours, LiteSpeed’s interim step is to remove the vulnerable user-end plugin:
/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstallThe honest cost: uninstalling the user-end plugin removes the per-account LiteSpeed cache controls for tenants until you reinstall the fixed build, so plan the reinstall in the same maintenance window. The CISA due date here is June 18, 2026, only three days out, which reflects how short the path is from shared-host foothold to root.
How it is being exploited
For Cisco, the primary-source confirmation is Cisco’s own advisory: “In June 2026, the Cisco PSIRT became aware of limited exploitation of this vulnerability.” CISA added it to KEV on June 15, 2026 with a due date of June 29, 2026. Known ransomware campaign use is listed as “Unknown.” EPSS has no score for this CVE yet as of June 15, 2026, which is normal for a flaw this fresh.
For LiteSpeed, the vendor advisory states the flaw “is being actively exploited,” and NVD records it as exploited in the wild in May 2026. CISA added it to KEV on June 15, 2026 with a due date of June 18, 2026. EPSS is 0.3% (26th percentile) as of June 15, 2026, a reminder that EPSS measures broad exploitation probability and lags a known, targeted, in-the-wild case like this one. Known ransomware campaign use is listed as “Unknown.”
Neither vendor nor CISA has published indicators of compromise for these two as of this writing, so we are not reproducing any. Work from the vendor advisories and the KEV entries for the latest detail. We will update this post as primary-source telemetry adds to it.
How VulnMonitor helps
The hard part of a day like this is not reading two advisories. It is answering “do we run any of these versions, anywhere?” before the deadline. VulnMonitor keeps a live inventory of what you run, so when a CVE lands on KEV it reconciles the affected versions against that inventory and ranks the result by KEV status and EPSS. A Medium-scored Cisco bug that is actively exploited sorts above a quiet High, because the ranking follows exploitation, not just the base score. It does not stop the attack itself, so the patches above are still the actions that close the risk.
Updates
- 2026-06-15, 23:00 UTC Initial post. CVE-2026-20262 (Cisco Catalyst SD-WAN Manager, CVSS 6.5) and CVE-2026-54420 (LiteSpeed cPanel plugin, CVSS 8.5) both added to CISA KEV on June 15, 2026. Due dates June 29 and June 18, 2026.
Sources
Keep reading
CVSS vs EPSS vs KEV: how to prioritize CVEs that matter
CVSS vs EPSS vs KEV: three signals that rank vulnerabilities differently. Why CloudKey patches KEV-listed CVEs first, EPSS-elevated next, CVSS last.
Attackers Can Reach Root on UniFi OS and Lantronix Edge Servers
Ubiquiti UniFi OS and Lantronix EDS5000 reached CISA KEV on June 23 with unauthenticated root flaws, and Copy Fail (CVE-2026-31431) now hits B&R OT gear. Patch fast.
Splunk Enterprise CVE-2026-20253 Exploited: Patch Before June 21
CISA added Splunk Enterprise CVE-2026-20253 to KEV on June 18, 2026. Unauthenticated file write via PostgreSQL sidecar, federal due date June 21. Who is affected and what to do.